CVE-2026-20205
Published: 15 April 2026
Summary
CVE-2026-20205 is a high-severity Insertion of Sensitive Information into Log File (CWE-532) vulnerability in Splunk MCP Server (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 17.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and AU-9 (Protection of Audit Information).
Deeper analysis
CVE-2026-20205 is a vulnerability in the Splunk MCP Server app versions below 1.0.3 that allows users with specific privileges to view session and authorization tokens for other users in clear text. The issue stems from sensitive information being logged insecurely, classified under CWE-532, and affects the Splunk platform's internal logging mechanisms. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high impact potential despite requiring elevated privileges.
Exploitation requires a user holding a role with access to the Splunk _internal index or the high-privilege capability mcp_tool_admin. Attackers need either local access to the log files or administrative access to internal indexes, which by default is limited to the admin role. Successful exploitation enables viewing clear-text tokens, potentially allowing token hijacking for unauthorized access, data manipulation, or denial of service, aligning with the high confidentiality, integrity, and availability impacts in the CVSS score.
The Splunk advisory at https://advisory.splunk.com/advisories/SVD-2026-0407 recommends upgrading to version 1.0.3 or later and reviewing roles and capabilities to restrict access to the _internal index to administrator-level roles only. Additional guidance is available in Splunk documentation on defining roles with capabilities and MCP Server admin settings.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22935
Vulnerability details
In Splunk MCP Server app versions below 1.0.3 , a user who holds a role with access to the Splunk `_internal` index or possesses the high-privilege capability `mcp_tool_admin` could view users session and authorization tokens in clear text.<br><br>The vulnerability would…
more
require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. <br><br>Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) and [Connecting to MCP Server and Admin settings](https://help.splunk.com/en/splunk-enterprise/mcp-server-for-splunk-platform/connecting-to-mcp-server-and-admin-settings) in the Splunk documentation for more information.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: mcp
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Insecure logging exposes tokens (T1552.001); enables token-based account impersonation (T1550.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediates the insecure logging of clear-text session and authorization tokens by upgrading Splunk MCP Server to version 1.0.3 or later.
Enforces least privilege by restricting access to the Splunk _internal index and mcp_tool_admin capability to only administrator-level roles, preventing unauthorized viewing of sensitive tokens.
Protects audit information in Splunk _internal index logs from unauthorized access, directly mitigating exposure of clear-text user session and authorization tokens.